SharePoint Spoofing Flaw: Why On-Premises Businesses Need This Patch Now

SharePoint sits at the heart of a lot of North Wales businesses. Accountancy practices use it to store client records. Legal firms share case files through it. Property developers manage contracts on it. So when a vulnerability is actively being exploited in the wild, anyone running on-premises SharePoint needs to act quickly.

Microsoft recently patched a spoofing vulnerability, CVE-2026-32201, that was already being targeted before the fix was even available. According to security researchers at BleepingComputer, over 1,300 internet-facing SharePoint servers were still unpatched three weeks after the fix was released. That’s a lot of open doors.

What the Vulnerability Actually Does

What makes this one worth flagging is that an attacker does not need your login credentials to exploit it. A specially crafted request can be made to appear as though it came from your own trusted SharePoint server. No user interaction required. No elevated privileges needed.

In plain terms: your staff could receive what looks like a trustworthy internal document or request, and it would appear to come from inside your own system. Think a memo asking someone to update banking details, reset a password, or share sensitive files. It is crafted to look legitimate. Attackers can view files and manipulate what users see, which sounds contained but is actually deception at scale.

Security researchers have also flagged that this flaw could be chained with other vulnerabilities, meaning it might be used as one step in a longer attack sequence rather than a standalone hit.

What You Should Do

If you are running SharePoint 2016, SharePoint 2019, or SharePoint Server Subscription Edition on-premises, your IT support partner should already be testing and deploying these patches. If they have not mentioned it, it is worth raising.

If you are using SharePoint Online as part of Microsoft 365, you are already covered. Microsoft handles those updates automatically.

CISA, the US cybersecurity agency, added this vulnerability to its actively exploited list and gave federal agencies a hard deadline to patch. That gives you a sense of the urgency involved.

This sort of spoofing attack is also worth understanding in a broader context. Our article on why external emails can look like they come from your own staff covers a related topic that catches a lot of businesses off guard.

If you are unsure whether your SharePoint setup is affected, or you want someone to check your exposure and get the patches deployed without disrupting your day-to-day, get in touch with the Dragon Digital team and we will get it sorted.